5 Replies Latest reply: Apr 13, 2012 7:21 AM by Irfan Sri RSS

    how to config Split Tunnel on ASA 8.2 ??

    Irfan Sri

      Hi ,

       

      I need to give access to branch office for a web address of out side of vpn tunnel, our branch office connected to our main office using ipsec vpn tunnel. vpn tunnel created between two ASA firewall outside interfaces or main office and branch office. branch office ASA only have inside and outside interfaces, (other interfaces are disabled) so branch office network or one of host need to connect 208.66.130.xx ip on Internet.

      so the branch office traffic will come to main office ASA outside interface using vpn tunnel and it need to go out  again web address ip using same outside interface, main office also can access the same web address (208.66.xx.xx ) of outside interface,

      so if branch office need to go out from the tunnel . can i configure split tunnel on main office ASA? can anybody explain me how to config split tunnel using CLI, i cannot find any tab or anything on ASDM for split tunnel as cisco document. as follows. our ASA version is 8.2(2)

      http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

       

      Thanks

        • 1. Re: how to config Split Tunnel on ASA 8.2 ??
          Paul Stewart  -  CCIE Security

          Split tunneling is really a concept for remote access VPN. It sounds like you have a standard Lan to Lan VPN. With that, what is tunneled is whatever matches the crypto acl. So are you wanting to hairpin all of the branch traffic through the main asa, or allow it to connect to the Internet directly.  The crypto acl will certainly define what is encrypted. If you are planning to route the branch traffic through the main ASA, where is the NAT configured?

          • 2. Re: how to config Split Tunnel on ASA 8.2 ??
            DelVonte

            On a router you could route the traffic out the source interface that is directly connected to the Internet, but seeing how this is an ASA, I'm not sure.

             

            You might be able to do the same thing by creating a static route to force the traffic out the ASA Outside interface, but I'm not sure about the details. Like Paul mentioned, you might need to setup NAT, also possibly adding some rules to allow traffic to flow between the Inside and Outside interfaces.

             

            If you do get it to work, I'm curious what you had to do.

             

            Regards,

             

            DelVonte

            • 3. Re: how to config Split Tunnel on ASA 8.2 ??
              Irfan Sri

              Hi Paul and DelVonte,

               

              Thanks for reply,

               

              There have route for web address ip as follows.

              route outside 208.66.xxx.xx  255.255.255.0 216.161.108.111(not the outside interface ip address, but all the route for outside pointed to this ip)

               

              but no any acl or nat for 208.66.xx.xx ip on main office ASA.

              in main office ASA i can found some ACL and route for brance office ip's as follows, (i dont think if i provide those, it will effect to our network security)

               

              access-list dmz2 extended permit ip 10.7.86.0 255.255.255.0 10.150.150.0 255.255.255.0

              access-list inbound extended permit ip 10.7.86.0 255.255.255.0 10.150.150.0 255.255.255.0

               

              access-list inbound extended permit ip 10.7.86.0 255.255.255.0 any

              access-list inbound extended permit ip any 10.7.86.0 255.255.255.0

              access-list mgmt extended permit ip 10.7.86.0 255.255.255.0 10.56.56.0 255.255.255.0

              access-list outside_1_cryptomap extended permit ip any 10.7.86.0 255.255.255.0

              access-list inside_nat0_outbound extended permit ip any 10.7.86.0 255.255.255.0

               

              route outside 10.7.86.0 255.255.255.0 216.161.xx.xx >>(outside interface ip address)

               

              i need to do is branch network or any of host  need to access this web address. so branch office traffic will come to main office network using VPN tunnel. i think if we allow all the traffic of branch office to Internet, its will be a security issue for the network, so how can i allow branch office to access a web address? not all the Internet, i need only one official web site on Internet. ip starting with 208.66.xx.xx.

               

              when i do packet tracer in ASA and i saved log at same time, the log as follows

               

              10.7.86.10|80|208.66.139.xx|80|Teardown TCP connection 297036897 for outside:10.7.86.10/80 to outside:208.66.139.xx/80 duration 0:00:00 bytes 0 IPsec spoof packet detected

              4|Apr 02 2012|10:48:04|402117|10.7.86.10||208.66.139.xx||IPSEC: Received a non-IPSec packet (protocol= TCP) from 10.7.86.10 to 208.66.139.xx

               

               

               

               

               

              Thanks.

              • 4. Re: how to config Split Tunnel on ASA 8.2 ??
                Gamalier Sanchez Javier

                Well, I don't understand very well what is that you want to do, but I think that it could be done very simple.

                 

                If you have a branck office connecting to your HQ, you have a Site-to-site, like Paul said. And that thought is enforced with the fact that in your configuration there's not a crypto dynamic map.

                 

                You said that you want to communicate the branch office with some host in the Internet across the VPN with your HQ. You can do that specifying the Internet host with the specific port in the crypto ACL. with that, when the branch office need to connect with that Webpage, the traffic will pass across the tunnel and the traffic not included in the ACL will bypass the tunnel and go directly to the Internet. If you don't want to pass that traffic directly to the Internet and just permit the tunneled traffic, the strategy is the same, but with an additional ACL (or something alike) directrly applied at interface level. The ACL will work the same way that Split Tunneling in Remote Access. That must be the reason Split Tunneling is not present in Site-to-site.

                 

                Well, I think you can solve the issue with that.

                • 5. Re: how to config Split Tunnel on ASA 8.2 ??
                  Irfan Sri

                  hi,

                   

                  Thanks everyone, i understood from your reply's how traffic will work with tunnel , as Pual said i just checked Nat on main office ASA. I found there is a nat on inside interface to pass traffic to  outside , dmz2 and management interfaces. its a policy nat. so i understood that inside interface traffic will use that policy nat, but vpn traffic dont know about this policy nat, coz vpn traffic will come from out side interface, so i add a nat using same policy nat on outside interface, finally its worked,

                   

                  Thanks again.,